Skip to content

S1033 DCSrv

DCSrv is destructive malware that has been used by Moses Staff since at least September 2021. Though DCSrv has ransomware-like capabilities, Moses Staff does not demand ransom or offer a decryption key.1

Item Value
ID S1033
Associated Names
Version 1.0
Created 11 August 2022
Last Modified 24 October 2022
Navigation Layer View In ATT&CK® Navigator

Techniques Used

Domain ID Name Use
enterprise T1543 Create or Modify System Process -
enterprise T1543.003 Windows Service DCSrv has created new services for persistence by modifying the Registry.1
enterprise T1486 Data Encrypted for Impact DCSrv has encrypted drives using the core encryption mechanism from DiskCryptor.1
enterprise T1036 Masquerading -
enterprise T1036.004 Masquerade Task or Service DCSrv has masqueraded its service as a legitimate svchost.exe process.1
enterprise T1112 Modify Registry DCSrv has created Registry keys for persistence.1
enterprise T1106 Native API DCSrv has used various Windows API functions, including DeviceIoControl, as part of its encryption process.1
enterprise T1027 Obfuscated Files or Information DCSrv‘s configuration is encrypted.1
enterprise T1529 System Shutdown/Reboot DCSrv has a function to sleep for two hours before rebooting the system.1
enterprise T1124 System Time Discovery DCSrv can compare the current time on an infected host with a configuration value to determine when to start the encryption process.1

Groups That Use This Software

ID Name References
G1009 Moses Staff 1